API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Aug 2nd, 2011
7,791
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 23.43 KB | None | 0 0
raw download clone embed print report
  1. this topic assumes that:
  2. 1) you are semi proficient at game hacking/memory editing/programming
  3. 2) you've already downloaded the JNA.jar and related files and know how to set it up.
  4.  
  5. I haven't found a solid example/explanation of how to do this, so i'll try my best;
  6.  
  7. warning: this is not purely java by any means. as far as I know, java can't interact with anything in the OS as it runs in a virtual machine. i have no idea how the hell this JNA thing works, but oh well.
  8.  
  9. In this example, you will be learning how to cheat at the game "3d pinball" that comes with windows by using JNA.jar to interface with the native windows functions for editing memory.
  10.  
  11. Now, I'm pretty clueless as to how the JNA actually works, and I pieced this together myself from pretty much nothing. It's still mostly magic to me, but I'll give you everything you need to get at least an example working.
  12.  
  13. First of all, you need an interface for each native windows function you want to use. Here's my code for Kernel32.dll. It is far from complete, but plenty for this example. Kernel32 contains the necessary crap for memory editing. I hope you knew that.
  14.  
  15. [code]
  16. import com.sun.jna.*;
  17. import com.sun.jna.win32.StdCallLibrary;
  18. import com.sun.jna.ptr.IntByReference;
  19.  
  20. // by deject3d
  21.  
  22. public interface Kernel32 extends StdCallLibrary
  23. {
  24. // description from msdn
  25. //BOOL WINAPI WriteProcessMemory(
  26. //__in HANDLE hProcess,
  27. //__in LPVOID lpBaseAddress,
  28. //__in LPCVOID lpBuffer,
  29. //__in SIZE_T nSize,
  30. //__out SIZE_T *lpNumberOfBytesWritten
  31. //);
  32. boolean WriteProcessMemory(Pointer p, int address, Pointer buffer, int size, IntByReference written);
  33.  
  34.  
  35. //BOOL WINAPI ReadProcessMemory(
  36. // __in HANDLE hProcess,
  37. // __in LPCVOID lpBaseAddress,
  38. // __out LPVOID lpBuffer,
  39. // __in SIZE_T nSize,
  40. // __out SIZE_T *lpNumberOfBytesRead
  41. // );
  42. boolean ReadProcessMemory(Pointer hProcess, int inBaseAddress, Pointer outputBuffer, int nSize, IntByReference outNumberOfBytesRead);
  43.  
  44.  
  45. //HANDLE WINAPI OpenProcess(
  46. // __in DWORD dwDesiredAccess,
  47. // __in BOOL bInheritHandle,
  48. // __in DWORD dwProcessId
  49. //);
  50. Pointer OpenProcess(int desired, boolean inherit, int pid);
  51.  
  52. /* derp */
  53. int GetLastError();
  54. }
  55. [/code]
  56.  
  57.  
  58. User32 also contains a few very important functions - GetWindowThreadProcessID and FindWindowA. Here's some code I luckily lifted off of google. I think it's the entire User32 class rewritten as java. Thanks, Mr. Todd Fast. now, this is way more than we need, but it could be nice to have someday.
  59.  
  60. [code]
  61. import com.sun.jna.Native;
  62. import com.sun.jna.Pointer;
  63. import com.sun.jna.Structure;
  64. import com.sun.jna.examples.win32.W32API;
  65. import com.sun.jna.examples.win32.GDI32.RECT;
  66. import com.sun.jna.ptr.ByteByReference;
  67. import com.sun.jna.ptr.IntByReference;
  68.  
  69. /** Provides access to the w32 user32 library.
  70. * Incomplete implementation to support demos.
  71. *
  72. * @author Todd Fast, todd.fast@sun.com
  73. * @author twall@users.sf.net
  74. */
  75. public interface User32 extends W32API {
  76.  
  77. User32 INSTANCE = (User32)
  78. Native.loadLibrary("user32", User32.class, DEFAULT_OPTIONS);
  79.  
  80. Pointer GetDC(Pointer hWnd);
  81. int ReleaseDC(Pointer hWnd, Pointer hDC);
  82.  
  83. int FLASHW_STOP = 0;
  84. int FLASHW_CAPTION = 1;
  85. int FLASHW_TRAY = 2;
  86. int FLASHW_ALL = (FLASHW_CAPTION|FLASHW_TRAY);
  87. int FLASHW_TIMER = 4;
  88. int FLASHW_TIMERNOFG = 12;
  89.  
  90. public static class FLASHWINFO extends Structure {
  91. public int cbSize;
  92. public Pointer hWnd;
  93. public int dwFlags;
  94. public int uCount;
  95. public int dwTimeout;
  96. }
  97.  
  98. int IMAGE_BITMAP=0;
  99. int IMAGE_ICON=1;
  100. int IMAGE_CURSOR=2;
  101. int IMAGE_ENHMETAFILE=3;
  102.  
  103. int LR_DEFAULTCOLOR =0x0000;
  104. int LR_MONOCHROME =0x0001;
  105. int LR_COLOR =0x0002;
  106. int LR_COPYRETURNORG =0x0004;
  107. int LR_COPYDELETEORG =0x0008;
  108. int LR_LOADFROMFILE =0x0010;
  109. int LR_LOADTRANSPARENT =0x0020;
  110. int LR_DEFAULTSIZE =0x0040;
  111. int LR_VGACOLOR =0x0080;
  112. int LR_LOADMAP3DCOLORS =0x1000;
  113. int LR_CREATEDIBSECTION =0x2000;
  114. int LR_COPYFROMRESOURCE =0x4000;
  115. int LR_SHARED =0x8000;
  116.  
  117. Pointer FindWindowA(String winClass, String title);
  118. int GetClassName(Pointer hWnd, byte[] lpClassName, int nMaxCount);
  119. public static class GUITHREADINFO extends Structure {
  120. public int cbSize = size();
  121. public int flags;
  122. Pointer hwndActive;
  123. Pointer hwndFocus;
  124. Pointer hwndCapture;
  125. Pointer hwndMenuOwner;
  126. Pointer hwndMoveSize;
  127. Pointer hwndCaret;
  128. RECT rcCaret;
  129. }
  130. boolean GetGUIThreadInfo(int idThread, GUITHREADINFO lpgui);
  131.  
  132. public static class WINDOWINFO extends Structure {
  133. public int cbSize = size();
  134. public RECT rcWindow;
  135. public RECT rcClient;
  136. public int dwStyle;
  137. public int dwExStyle;
  138. public int dwWindowStatus;
  139. public int cxWindowBorders;
  140. public int cyWindowBorders;
  141. public short atomWindowType;
  142. public short wCreatorVersion;
  143. }
  144. boolean GetWindowInfo(Pointer hWnd, WINDOWINFO pwi);
  145. boolean GetWindowRect(Pointer hWnd, RECT rect);
  146. int GetWindowText(Pointer hWnd, byte[] lpString, int nMaxCount);
  147. int GetWindowTextLength(Pointer hWnd);
  148. int GetWindowModuleFileName(Pointer hWnd, byte[] lpszFileName, int cchFileNameMax);
  149. int GetWindowThreadProcessId(Pointer hWnd, IntByReference lpdwProcessId);
  150. interface WNDENUMPROC extends StdCallCallback {
  151. /** Return whether to continue enumeration. */
  152. boolean callback(Pointer hWnd, Pointer data);
  153. }
  154. boolean EnumWindows(WNDENUMPROC lpEnumFunc, Pointer data);
  155. boolean EnumThreadWindows(int dwThreadId, WNDENUMPROC lpEnumFunc, Pointer data);
  156.  
  157. boolean FlashWindowEx(FLASHWINFO info);
  158.  
  159. Pointer LoadIcon(Pointer hInstance, String iconName);
  160.  
  161. Pointer LoadImage(Pointer hinst, // handle to instance
  162. String name, // image to load
  163. int type, // image type
  164. int xDesired, // desired width
  165. int yDesired, // desired height
  166. int load // load options
  167. );
  168.  
  169. boolean DestroyIcon(Pointer hicon);
  170.  
  171. int GWL_EXSTYLE = -20;
  172. int GWL_STYLE = -16;
  173. int GWL_WNDPROC = -4;
  174. int GWL_HINSTANCE = -6;
  175. int GWL_ID = -12;
  176. int GWL_USERDATA = -21;
  177. int DWL_DLGPROC = 4;
  178. int DWL_MSGRESULT = 0;
  179. int DWL_USER = 8;
  180. int WS_EX_COMPOSITED = 0x20000000;
  181. int WS_EX_LAYERED = 0x80000;
  182. int WS_EX_TRANSPARENT = 32;
  183. int GetWindowLong(Pointer hWnd, int nIndex);
  184. int SetWindowLong(Pointer hWnd, int nIndex, int dwNewLong);
  185.  
  186. int LWA_COLORKEY = 1;
  187. int LWA_ALPHA = 2;
  188. int ULW_COLORKEY = 1;
  189. int ULW_ALPHA = 2;
  190. int ULW_OPAQUE = 4;
  191. boolean SetLayeredWindowAttributes(Pointer hwnd, int crKey,
  192. byte bAlpha, int dwFlags);
  193. boolean GetLayeredWindowAttributes(Pointer hwnd,
  194. IntByReference pcrKey,
  195. ByteByReference pbAlpha,
  196. IntByReference pdwFlags);
  197.  
  198. /** Defines the x- and y-coordinates of a point. */
  199. public static class POINT extends Structure {
  200. public int x, y;
  201. }
  202. /** Specifies the width and height of a rectangle. */
  203. public static class SIZE extends Structure {
  204. public int cx, cy;
  205. }
  206. int AC_SRC_OVER = 0x00;
  207. int AC_SRC_ALPHA = 0x01;
  208. int AC_SRC_NO_PREMULT_ALPHA = 0x01;
  209. int AC_SRC_NO_ALPHA = 0x02;
  210. public static class BLENDFUNCTION extends Structure {
  211. public byte BlendOp = AC_SRC_OVER; // only valid value
  212. public byte BlendFlags = 0; // only valid value
  213. public byte SourceConstantAlpha;
  214. public byte AlphaFormat;
  215. }
  216. boolean UpdateLayeredWindow(Pointer hwnd, Pointer hdcDst,
  217. POINT pptDst, SIZE psize,
  218. Pointer hdcSrc, POINT pptSrc, int crKey,
  219. BLENDFUNCTION pblend, int dwFlags);
  220. int SetWindowRgn(Pointer hWnd, Pointer hRgn, boolean bRedraw);
  221. int VK_SHIFT = 16;
  222. int VK_LSHIFT = 0xA0;
  223. int VK_RSHIFT = 0xA1;
  224. int VK_CONTROL = 17;
  225. int VK_LCONTROL = 0xA2;
  226. int VK_RCONTROL = 0xA3;
  227. int VK_MENU = 18;
  228. int VK_LMENU = 0xA4;
  229. int VK_RMENU = 0xA5;
  230. boolean GetKeyboardState(byte[] state);
  231. short GetAsyncKeyState(int vKey);
  232. }
  233. [/code]
  234.  
  235. Good. copy and paste both of those into your java project.
  236.  
  237. Now, make the class that will be containing the actual code for cheating. I named my class Cheater.
  238.  
  239. [code]
  240. public class Cheater
  241. {
  242. public static void main(String[] args)
  243. {
  244.  
  245. }
  246. }
  247. [/code]
  248.  
  249. Amazing. now what?
  250.  
  251. First, imports. lots of them.
  252.  
  253. [code]
  254. import java.util.Arrays;
  255. import com.sun.jna.Memory;
  256. import com.sun.jna.Native;
  257. import com.sun.jna.Pointer;
  258. import com.sun.jna.ptr.IntByReference;
  259. import com.sun.jna.*;
  260.  
  261. public class Cheater
  262. {
  263. public static void main(String[] args)
  264. {
  265.  
  266. }
  267. }
  268. [/code]
  269.  
  270. Okay, cool. we've got imports. Can we start memory editing yet? no. not even close. you now need to load the native libraries using the JNA.
  271.  
  272. here's how.
  273.  
  274. [code]
  275. import java.util.Arrays;
  276. import com.sun.jna.Memory;
  277. import com.sun.jna.Native;
  278. import com.sun.jna.Pointer;
  279. import com.sun.jna.ptr.IntByReference;
  280. import com.sun.jna.*;
  281.  
  282. public class Cheater
  283. {
  284. static Kernel32 kernel32 = (Kernel32) Native.loadLibrary("kernel32", Kernel32.class);
  285. static User32 user32 = (User32) Native.loadLibrary("user32" , User32.class);
  286.  
  287. public static void main(String[] args)
  288. {
  289.  
  290. }
  291. }
  292. [/code]
  293.  
  294. cool spacing, eh? yeah, whatever. you should be focusing.
  295.  
  296. So, now that we have the interface's to the native functions all set up, we can start hackin', right?! still not close.
  297.  
  298. Pretend you're memory editing in C++ or visual basic or whatever else - what do you need to do first before you can read/write memory to a process? you need the process ID. so how the hell do we get the process ID? just like in C++ - we use GetWindowThreadProcessId() !
  299.  
  300. so, GetWindowThreadProcessID() is located in user32.dll - so let's peek at our interface.
  301.  
  302. [code]
  303. ...
  304. int GetWindowThreadProcessId(Pointer hWnd, IntByReference lpdwProcessId);
  305. ...
  306. [/code]
  307.  
  308. great, the function is in our interface. that means we can use it. but... how do we do that? what the hell is a Pointer in java terms? how do we get the hWnd?! IntByReference?! wtf?!
  309.  
  310. yeah, this is why this is hard to do. we're basically translating C++ into java.
  311.  
  312. anyways, the first parameter for GetWindowThreadProcessId() is a hWnd. how do we get that in C++? with FindWindowA() of course!
  313.  
  314. let's see now... yep, FindWindowA() is definitely in our user32 interface-
  315.  
  316. [code]
  317. Pointer FindWindowA(String winClass, String title);
  318. [/code]
  319.  
  320. luckily, it takes Strings (phew). us java users know how those work (i hope).
  321.  
  322. so let's piece together some code, shall we?
  323.  
  324. why not make a getProcessId() method in our cheater class just to make things easier to read and use.
  325.  
  326. [code]
  327. public static int getProcessId(String window)
  328. {
  329. IntByReference pid = new IntByReference(0);
  330. user32.GetWindowThreadProcessId(user32.FindWindowA(null,window), pid);
  331.  
  332. return pid.getValue();
  333. }
  334. [/code]
  335.  
  336. perfect. this will return the integer process ID of the window we ask for - but as you can probably tell, I skipped ahead of myself a bit.
  337.  
  338. the first thing you notice is
  339.  
  340. [code]
  341. IntByReference pid = new IntByReference(0);
  342. [/code]
  343.  
  344. an IntByReference comes from our import "import com.sun.jna.ptr.IntByReference;" It is just used as a pointer, basically. the variable "pid" is where GetWindowThreadProcessId will put the processes PID. we can't use just regular java ints because of what the MSDN documentation says:
  345.  
  346.  
  347. [code]
  348.  
  349. DWORD WINAPI GetWindowThreadProcessId(
  350. __in HWND hWnd,
  351. __out_opt LPDWORD lpdwProcessId
  352. );
  353. [/code]
  354. [url]http://msdn.microsoft.com/en-us/library/ms633522(VS.85).aspx[/url]
  355. "LPDWORD
  356. - A pointer to a variable that receives the process identifier."
  357.  
  358. since it has to be a pointer, we're forced to use IntByReference. You should be able to figure out how they work just by looking at the code above.
  359.  
  360. "pid.getValue()" just turns the pointer back into a regular java int. easy enough.
  361.  
  362. -------------------------
  363.  
  364. Alright, great. We can now get the process ID of a given process. here's how it should look:
  365.  
  366. [code]
  367. import java.util.Arrays;
  368. import com.sun.jna.Memory;
  369. import com.sun.jna.Native;
  370. import com.sun.jna.Pointer;
  371. import com.sun.jna.ptr.IntByReference;
  372. import com.sun.jna.*;
  373.  
  374. public class Cheater
  375. {
  376. static Kernel32 kernel32 = (Kernel32) Native.loadLibrary("kernel32", Kernel32.class);
  377. static User32 user32 = (User32) Native.loadLibrary("user32" , User32.class);
  378.  
  379. public static void main(String[] args)
  380. {
  381. int pid = getProcessId("3D Pinball for Windows - Space Cadet");
  382. }
  383.  
  384. public static int getProcessId(String window)
  385. {
  386. IntByReference pid = new IntByReference(0);
  387. user32.GetWindowThreadProcessId(user32.FindWindowA(null,window), pid);
  388.  
  389. return pid.getValue();
  390. }
  391. [/code]
  392.  
  393. great, we're getting somewhere. But what comes next? if this were C++, we would need to open the process so that we can start getting down and dirty. that's right, now we get to rewrite OpenProcess().
  394.  
  395. let's check it out in the Kernel32 interface;
  396.  
  397. [code]
  398. /*
  399. HANDLE WINAPI OpenProcess(
  400. __in DWORD dwDesiredAccess,
  401. __in BOOL bInheritHandle,
  402. __in DWORD dwProcessId
  403. );
  404. */
  405. Pointer OpenProcess(int desiredAccess, boolean inherit, int pid);
  406. [/code]
  407.  
  408. this should be relatively straightforward to any experienced people - the MSDN documentation ([url]http://msdn.microsoft.com/en-us/library/ms684320(VS.85).aspx[/url]) tells us the parameters.
  409.  
  410. so, it takes a DWORD (also known as double word (which is also known as int. 4 bytes. i'm sure you knew that.)) to know what access we're trying to open the process with. check out some of the possible values here- [url]http://msdn.microsoft.com/en-us/library/ms684880(v=VS.85).aspx[/url]
  411.  
  412. then we can see that it takes a boolean. the boolean isn't so important. we like it when it is true.
  413.  
  414. finally, it takes in the processID. we got that earlier! yay!
  415.  
  416. so let's write another method in our Cheater class to, once again, make things easier on ourself.
  417.  
  418. [code]
  419. public static Pointer openProcess(int permissions, int pid)
  420. {
  421. Pointer process = kernel32.OpenProcess(permissions,true, pid);
  422. return process;
  423. }
  424. [/code]
  425.  
  426. that was simple enough. the most difficult part of getting all of this to work is re-coding the C++ datatypes as java datatypes. I don't even remember how I figured out how it should return a Pointer. luckily for us, it gets even more difficult later. (since java has no unsigned data types)
  427.  
  428. so let's see how things are shaping up so far;
  429.  
  430. [code]
  431. import java.util.Arrays;
  432. import com.sun.jna.Memory;
  433. import com.sun.jna.Native;
  434. import com.sun.jna.Pointer;
  435. import com.sun.jna.ptr.IntByReference;
  436. import com.sun.jna.*;
  437.  
  438. public class Cheater
  439. {
  440. static Kernel32 kernel32 = (Kernel32) Native.loadLibrary("kernel32", Kernel32.class);
  441. static User32 user32 = (User32) Native.loadLibrary("user32" , User32.class);
  442.  
  443. public static void main(String[] args)
  444. {
  445. int pid = getProcessId("3D Pinball for Windows - Space Cadet");
  446. Pointer readprocess = openProcess(0x0010, pid);
  447. }
  448.  
  449. public static int getProcessId(String window)
  450. {
  451. IntByReference pid = new IntByReference(0);
  452. user32.GetWindowThreadProcessId(user32.FindWindowA(null,window), pid);
  453.  
  454. return pid.getValue();
  455. }
  456.  
  457. public static Pointer openProcess(int permissions, int pid)
  458. {
  459. Pointer process = kernel32.OpenProcess(permissions,true, pid);
  460. return process;
  461. }
  462. [/code]
  463.  
  464. if you're confused as to why "Pointer readprocess = openProcess(0x0010, pid);" has 0x0010, go back to this link: [url]http://msdn.microsoft.com/en-us/library/ms684880(v=VS.85).aspx[/url]
  465.  
  466. [quote]
  467. PROCESS_VM_READ (0x0010) Required to read memory in a process using ReadProcessMemory.
  468. [/quote]
  469.  
  470. right-o.
  471.  
  472. so now let's have some fun. let's make java print out our current score!
  473.  
  474. for that, we now need to recreate ReadProcessMemory(). I gave you the interface for it in the Kernel32 class:
  475.  
  476. [code]
  477. /*
  478. BOOL WINAPI ReadProcessMemory(
  479. __in HANDLE hProcess,
  480. __in LPCVOID lpBaseAddress,
  481. __out LPVOID lpBuffer,
  482. __in SIZE_T nSize,
  483. __out SIZE_T *lpNumberOfBytesRead
  484. );
  485. */
  486. boolean ReadProcessMemory(Pointer hProcess, int inBaseAddress, Pointer outputBuffer, int nSize, IntByReference outNumberOfBytesRead);
  487. [/code]
  488.  
  489. so let's go through those paremeters.
  490.  
  491. Pointer hProcess - check (our variable "readprocess")
  492.  
  493. int inBaseAddress - check (the memory address we want to start reading from. if you need help with this step, check out some tutorials on finding memory addresses using a memory searcher/editor such as Memory Hacking Software ([url]http://memoryhacking.com/)[/url])
  494.  
  495. Pointer outbutBuffer - ok, what the hell is this? let's check the trusty MSDN:
  496.  
  497. [quote]
  498. lpBuffer [out]
  499. A pointer to a buffer that receives the contents from the address space of the specified process.
  500. [/quote]
  501.  
  502. so basically, it's where the memory that we read is going to be stored. i'll show you how this works in a second.
  503.  
  504. int nSize - this is just how much memory we should be reading from the process (in bytes) remember, an integer value is 4 bytes. most of the time you're going to be reading 4 bytes if you want to read a number.
  505.  
  506. IntByReference outNumberOfBytesRead - the MSDN tells us that this will hold the number of bytes that actually gets read. it will be the same as nSize most of the time.
  507.  
  508. -------
  509.  
  510. alright, so let's piece this this together by making another method in our Cheater class.
  511.  
  512. [code]
  513. public static Memory readMemory(Pointer process, int address, int bytesToRead)
  514. {
  515. IntByReference read = new IntByReference(0);
  516. Memory output = new Memory(bytesToRead);
  517.  
  518. kernel32.ReadProcessMemory(process, address, output, bytesToRead, read);
  519. return output;
  520. }
  521. [/code]
  522.  
  523. let's break this down:
  524.  
  525. we know what an IntByReference is for, but what is a "Memory" ? Memory is just a class that the JNA uses to hold memory. go figure. the constructor it takes is how much memory it should hold (in bytes)
  526.  
  527. hopefully the rest is fully understandable. if not, feel free to ask about it.
  528.  
  529.  
  530. so this is how the Cheater class should look so far:
  531.  
  532. [code]
  533. import java.util.Arrays;
  534. import com.sun.jna.Memory;
  535. import com.sun.jna.Native;
  536. import com.sun.jna.Pointer;
  537. import com.sun.jna.ptr.IntByReference;
  538. import com.sun.jna.*;
  539.  
  540. public class Cheater
  541. {
  542. static Kernel32 kernel32 = (Kernel32) Native.loadLibrary("kernel32", Kernel32.class);
  543. static User32 user32 = (User32) Native.loadLibrary("user32" , User32.class);
  544.  
  545. public static void main(String[] args)
  546. {
  547. int pid = getProcessId("3D Pinball for Windows - Space Cadet");
  548. Pointer readprocess = openProcess(0x0010, pid);
  549. int size = 4;
  550. Memory read = readMemory(readprocess,0x00AB0C62,size);
  551. }
  552.  
  553. public static int getProcessId(String window)
  554. {
  555. IntByReference pid = new IntByReference(0);
  556. user32.GetWindowThreadProcessId(user32.FindWindowA(null,window), pid);
  557.  
  558. return pid.getValue();
  559. }
  560.  
  561. public static Pointer openProcess(int permissions, int pid)
  562. {
  563. Pointer process = kernel32.OpenProcess(permissions,true, pid);
  564. return process;
  565. }
  566.  
  567. public static Memory readMemory(Pointer process, int address, int bytesToRead)
  568. {
  569. IntByReference read = new IntByReference(0);
  570. Memory output = new Memory(bytesToRead);
  571.  
  572. kernel32.ReadProcessMemory(process, address, output, bytesToRead, read);
  573. return output;
  574. }
  575. }
  576. [/code]
  577.  
  578. "int size = 4;"
  579. this is the size in bytes of what we want to read. since the score is held in an integer and an integer is 4 bytes, we definitely want to read 4 bytes.
  580.  
  581. "Memory read = readMemory(readprocess,0x00AB0C62,size);"
  582. 0x00AB0C62 is the memory address that holds the score for pinball.
  583.  
  584. now you see that we're using the Memory class again to hold.. well, memory.
  585.  
  586. so how do we get the value out of the Memory class? simple. we read 4 bytes. 4 bytes is an integer. the Memory class has a method for this.
  587.  
  588. read.getInt(0) (0 is the offset. we don't want an offset)
  589.  
  590. so.. great. now we can read memory with java!
  591.  
  592. let's see how it all comes together.
  593.  
  594. [code]
  595. import java.util.Arrays;
  596. import com.sun.jna.Memory;
  597. import com.sun.jna.Native;
  598. import com.sun.jna.Pointer;
  599. import com.sun.jna.ptr.IntByReference;
  600. import com.sun.jna.*;
  601.  
  602. public class Cheater
  603. {
  604. static Kernel32 kernel32 = (Kernel32) Native.loadLibrary("kernel32", Kernel32.class);
  605. static User32 user32 = (User32) Native.loadLibrary("user32" , User32.class);
  606.  
  607. public static void main(String[] args)
  608. {
  609. int pid = getProcessId("3D Pinball for Windows - Space Cadet"); // get our process ID
  610. Pointer readprocess = openProcess(0x0010, pid); // open the process ID with read priviledges.
  611.  
  612. int size = 4; // we want to read 4 bytes
  613. Memory read = readMemory(readprocess,0x00AB0C62,size); // read 4 bytes of memory starting at the address 0x00AB0C62.
  614.  
  615. System.out.println(read.getInt(0)); // print out the value!
  616. }
  617.  
  618. public static int getProcessId(String window)
  619. {
  620. IntByReference pid = new IntByReference(0);
  621. user32.GetWindowThreadProcessId(user32.FindWindowA(null,window), pid);
  622.  
  623. return pid.getValue();
  624. }
  625.  
  626. public static Pointer openProcess(int permissions, int pid)
  627. {
  628. Pointer process = kernel32.OpenProcess(permissions,true, pid);
  629. return process;
  630. }
  631.  
  632. public static Memory readMemory(Pointer process, int address, int bytesToRead)
  633. {
  634. IntByReference read = new IntByReference(0);
  635. Memory output = new Memory(bytesToRead);
  636.  
  637. kernel32.ReadProcessMemory(process, address, output, bytesToRead, read);
  638. return output;
  639. }
  640. }
  641. [/code]
  642.  
  643. congratulations, you now have the framework for reading process memory with java.
  644.  
  645. i'm not going to jerk your chain around and make you guess on how to write memory with java. it's pretty much the same process:
  646.  
  647. [code]
  648. public static int writeMemory(Pointer process, int address, short[] data)
  649. {
  650. IntByReference written = new IntByReference(0);
  651.  
  652. Memory toWrite = new Memory(data.length);
  653.  
  654. for(long i = 0; i < data.length;i++)
  655. {
  656. toWrite.setShort(0, data[new Integer(Long.toString(i))]);
  657. }
  658.  
  659. boolean b = kernel32.WriteProcessMemory(process, address, toWrite, data.length, written);
  660. return written.getValue();
  661. }
  662. [/code]
  663.  
  664.  
  665. Enjoy!
  666.  
  667. - Deject3d
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!